Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Meet User A. Rather than trust the certificate signing activities of a random selection of "CAs" who have all paid a fee to a self-appointed "CA root" (as do all "modern" browser), she has created her own CA root using openssl and prefers to sign her own certificates for the websites she uses. She does not "trust" other CAs, she only trusts the certificates she herself issues and signs. User A can thus, if necessary, monitor her own SSL traffic by using a small program running on her computer called a proxy. (No Python is necessary.) As with non-encrypted traffic, she can run tcpdump to see what is being sent to and from her computer to remote websites. She can then assess the implications and block, filter or redirect certain connections and sanitize the traffic if she wishes, with the help of DNS (because she runs her own root.zone and local cache), and her packet filter, also known as an in-kernel firewall.

Meet User B. User B has the same basic computer skills as User A, but User B uses the Chrome browser. Thanks to "certificate pinning", User B cannot monitor what is being sent from her computer to Google.

User B wants to see what is being sent to and from her computer by Google. Can she do this and still use Chrome?



My understanding is that Chrome only cares about this sort of thing when it's a CA in the default trust store that shouldn't be impersonating them. User-added certs like in your example are fine, because explicit action was taken.

See Adam Langley's blog about this here: https://www.imperialviolet.org/2011/05/04/pinning.html


"... user installed root CAs are given the authority to override pins."

This is the answer I was seeking. Thank you!


You can also write a Chrome extension to monitor traffic:

http://developer.chrome.com/extensions/webRequest.html


i believe chrome uses NSS which can be configured by environment variable to dump session keys

https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+Al...


Does this require a writeable, user-accessible file on the computer where the browser is installed? (versus, e.g., a gateway computer the user controls that can run openssl, the proxy, tcpdump and the packet filter)

If yes, how would the NSS solution work if the user is browsing from a device that hides and even tries to deny the user access to the filesystem, like one of today's smartphones or tablets?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: